MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070
SHA3-384 hash:	50596799729b8c3868c0e0be447f15601a0704c838dbaa58eeaf649cddd97574df14814268d01b9062d9ba5c841cc1f1
SHA1 hash:	094ec515629f4957cbc6bf822f721251f9d988b3
MD5 hash:	b5e07bb8c507e27696b0fc567c22d0cb
humanhash:	pizza-winner-hawaii-arizona
File name:	b5e07bb8c507e27696b0fc567c22d0cb.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	383'262 bytes
First seen:	2022-04-13 07:22:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	6144:HNeZm8rMWhfYgnkLrPaivDV8hCqA8d7X86jnkN2tkehh4gvuyGSYOsRMOp/3gL4O:HNliFfxnkLGe8TA8NRI2qKh47bS2Rn5c
Threatray	5'546 similar samples on MalwareBazaar
TLSH	T1A8842310E5E0C4FFD9D223711A7A6A6BBAEEE8352C384F1F134047A87969180FA57317
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

351

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b5e07bb8c507e27696b0fc567c22d0cb.exe

Verdict:

Malicious activity

Analysis date:

2022-04-13 07:43:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5f723d4f-b52e-46c3-801a-699d5c0eaeb0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/263345/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/13728/overview

Behaviour

MalwareBazaar

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/62567a5d482f2f41caa536ee/reports/516eaf9f-1969-4d61-a37b-fc7a9e38f577/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2e307f31-7408-4666-9d2d-a2ec21ed981f

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/975990

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: File Created with System Process Name

Yara detected FormBook

Yara detected Generic Dropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070/

Threat name:

Win32.Trojan.NSISInject

Status:

Malicious

First seen:

2022-04-13 07:23:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 25 (84.00%)

Threat level:

5/5

Verdict:

malicious

Formbook

5521410a48148459362ab36b0fad3e61b1ca9b674339476eac02381ffbc04aa2

Formbook

6a86f9f00d24639b2ddd8103262c4b3fdd6248f2104a88bc230f448f64892672

Formbook

7631235836aa6c88d58c25b9f4665d0c93c35b767d140ec9847e7c531a5d55aa

Formbook

863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6

Formbook

bcaac39113bd17158fe86a77328f97e9c3fa14860c9c4449a8ae0768c85243f4

Formbook

caf75f7fb5dd554c31a6b2ef46e3899b3803dcbf65a52919eb4799697692a4a0

Formbook

d6adc5fd4e50b6a75c1d1e2ad96c279c2ac31472eca3c0325ae6f83852440333

Formbook

db683fe0365a4a2ed316ea5944cd1cdd05a398d65e0caaead565dec941d54f71

Formbook

eb0801ae0c61475a74fbc4bbe7c89df02fd2e2473f80b31e562af202f4dc8378

Formbook

+ 5'536 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220413-kz39rseba4/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

70a06bcb58368e722ea5821170ae0d745ee7235aeb8c91e96b7ea2a00eabc210

MD5 hash:

fd6cb10d1c8d6ae2c9818ae87dfc6e1c

SHA1 hash:

85ad8ce278ac51ec904e2370e7a6c4180514fe04

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/5a4a32bc-89d3-4b5b-8a20-906cf8800df5/

Parent samples :

76337d1595a47097a7a729d1588e494a778fb04d48e02d60f449df7a90f30b25
8c6e630e2b923d9961d01d662f8ea7455f29549515ef1fee8b99b0aa1da43858
835a8ca638d5d8775e0a38e1486d24f887306b94894edbd501cc5de9527d1cd8
7bafdf9104df0d8445c2478014a23e68200d48c2c438b4ad1820f8995936d129
64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070
f1c65a4c95ac59ee5774fd858b8e4cb9cdd3d1374894c33eabeef692f76f889e

SH256 hash:

d88dc9a316d00aae5a1195e49fc3ad318224ea842d02e58f88bf22b09a978b13

MD5 hash:

3023dbbde0aa9c1e72421e4947b2ddf6

SHA1 hash:

f7bb65a6f5d40f1645562d8c1483ca52f53d3db0

Detections:

win_mofksys_auto

Link:

https://www.unpac.me/results/5a4a32bc-89d3-4b5b-8a20-906cf8800df5/

Parent samples :

64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070
f1c65a4c95ac59ee5774fd858b8e4cb9cdd3d1374894c33eabeef692f76f889e
496474c14635d8ec7b918d4faf166a7855da8a64b2765dceff976abbf4eebbc3
43ef89e27ca9e14fe36f2626444fd52557aa7a62c59ce2dc13e8ec4bec2a7b7b
5dadc4b400540ed0ce0cc4947ce32817c32d0e2b808c5c5a8519bcf7d56ce810
bd9d4a2d5627b27b2e43afd37b07ce6c6b2d64a7017def2020c2c1434eae1a2a

SH256 hash:

3e3cb2416aac6222be2fd408ee6e51f55efcd03287d5a2eb477940110bdd8727

MD5 hash:

e1f21e9ca01c74bee41c991b973ee0ba

SHA1 hash:

994db370a9caad0c1be657a087f80ce5cda81dcb

Link:

https://www.unpac.me/results/5a4a32bc-89d3-4b5b-8a20-906cf8800df5/

SH256 hash:

64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070

MD5 hash:

b5e07bb8c507e27696b0fc567c22d0cb

SHA1 hash:

094ec515629f4957cbc6bf822f721251f9d988b3

Link:

https://www.unpac.me/results/5a4a32bc-89d3-4b5b-8a20-906cf8800df5/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/64aa3b6b1745/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

exe 64aa3b6b174535490dfbd46d731118c3bc146d2463f4c2efaa2bfef3ec584070

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2133006/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/263345/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample